Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AppInsights: PII is logged even if logPersonalInformation is false

See original GitHub issue

Version

4.11.0

Describe the bug

BBF always logs the user’s text.

To Reproduce

Have bot with AppInsights integration. Configure the bot to not log the user’s personal information as per doc https://docs.microsoft.com/en-us/azure/bot-service/bot-builder-telemetry?view=azure-bot-service-4.0&tabs=csharp.
Talk to the bot
Look into any event that logs the Recognizer telemetry, e.g. ValueRecognizerResult
Check the customDimensions, you will find “Text” property there. Example:

{
    "conversationId": "0a9d58c0-3301-11eb-bf90-2102e829151f|livechat",
    "activityType": "message",
    "channelId": "emulator",
    "activityId": "2d360170-3301-11eb-98d6-891267dfc0ed",
    "TopIntentScore": "Microsoft.Bot.Builder.IntentScore",
    "Entities": {
        "instance": {
            "Ordinal": [
                {
                    "Name": "Ordinal",
                    "Value": 2,
                    "Start": 4,
                    "End": 9,
                    "Text": "second"
                }
            ]
        }
    },
    "TopIntent": "test2",
    "Intents": {
        "test2": { "score":0.989161491394043 }
    },
    "Text": "the second test"
}

Expected behavior

User’s text should not be logged if logPersonalInformation == false

Additional context

The issue is that the LogPersonalInformation property is in TelemetryLoggerMiddleware. It should be a property in IBotTelemetryClient (it should be virtual on BotTelemetryClient).
FillRecognizerResultTelemetryProperties method should check the property on the logger and it shouldn’t log text or alteredtext if LogPersonalInformation == false.
Also, we need to do additional analysis to ensure that we don’t log PII in recognizerResult.Properties object.

Issue Analytics

State:
Created 3 years ago
Comments:7 (6 by maintainers)

Top GitHub Comments

1reaction

Robulanecommented, Dec 8, 2020

@Zerryth, yes, TelemetryLoggerMiddleware handles PII as expected. This bug is about the fact that there other places in BBF that log PII data. Examples that I found:

All recognizer results (ValueRecognizerResult, RegexRecognizerResult, RecognizerSetResult, etc.)
GeneratorResult can log text that may contain PII data in “text” field

0reactions

Zerrythcommented, Dec 16, 2020

Update: still working on this.

I’ve spoken with Eric regarding best practices/design issue that arises around

There being a lot of classes that derive from Recognizer
Implementing the LogPersonalInformation flag
LogPersonalInformation wanting to be a BoolExpression (which needs dependency on AdaptiveExpressions) for adaptive bits, but only a bool for non-adaptive

It goes deeper, however Eric said maybe we should discuss best practices with Gabo, since current solution we can think of isn’t that pretty